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Abstract. Current automated approaches for compositional model checking in 
the assume-guarantee style are based on learning of assumptions as deterministic 
automata. We propose an alternative approach based on abstraction refinement. 
Our new method computes the assumptions for the assume-guarantee rules as 
conservative and not necessarily deterministic abstractions of some of the compo- 
nents, and refines those abstractions using counterexamples obtained from model 
checking them together with the other components. Our approach also exploits 
the alphabets of the interfaces between components and performs iterative refine- 
ment of those alphabets as well as of the abstractions. We show experimentally 
that our preliminary implementation of the proposed alternative achieves similar 
or better performance than a previous learning-based implementation. 


1 Introduction 

Despite impressive recent progress in the application of model checking to the verifi- 
cation of realistic systems, the essential challenge in model checking remains the well- 
known state-space explosion problem [8]. Compositional techniques attempt to tame 
this problem by applying verification to individual components and merging the results 
without analyzing the whole system. In checking components individually, it is often 
necessary to incorporate some knowledge of the context in which each component is 
expected to operate correctly. Assume-guarantee reasoning [13, 15] addresses this is- 
sue by using assumptions that capture the expectations that a component makes about 
its environment. Assumptions have traditionally been developed manually, which has 
limited the practical impact of assume-guarantee reasoning. 

In recent work, automation has been achieved through learning-based techniques [10]. 
The L* learning algorithm [2] is used to generate the assumptions needed for the 
assume-guarantee rules. The simplest such rule checks if a system composed of com- 
ponents Mi and M 2 satisfies a property P by checking that A/] under assumption A 
satisfies P ( Premise 1 ) and discharging A on the environment M> ( Premise 2). For 
safety properties. Premise 2 amounts to checking that A is a conservative abstraction 
of M 2 , i.e., an abstraction that preserves all of M 2 ’s execution paths. This rule is also 
represented as follows, where the notation is described in more detail in Section 2. 



( Premise 1) (A) Mi { P ) 

(Premise 2) {true) Mi (A) (1) 

{true) Mi || M 2 (P) 

Learning-based assume-guarantee verification is an iterative process, during which L* 
makes conjectures in the form of automata that represent intermediate assumptions. 
Each conjectured assumption A is used to check the two premises of Rule 1. The pro- 
cess ends if A passes both premises of the rule, in which case the property holds in the 
system, or if it uncovers a real violation. Otherwise, a counterexample is returned and 
L* modifies the conjecture. Similar approaches are proposed in [1,4, 17]; the work in 
[12] uses sampling rather than L* to learn the assumptions in a similar way. 

In this paper we propose an alternative approach, AGAR (Assume-Guarantee Ab- 
straction Refinement), that automates assume-guarantee reasoning by iteratively com- 
puting assumptions as conservative abstractions of the interface behavior of Mi, i.e., 
the behavior that concerns the interaction with Mi . In each iteration, the computed as- 
sumption A satisfies Premise 2 of the Rule 1 by construction and it is only checked for 
Premise 1. If the check is successful, we conclude that Mi || M> satisfies the property; 
if the check fails, we get a counterexample trace that we analyze to see if it corresponds 
to a real error in Mi || M> or it is spurious due to the over-approximation in the ab- 
straction. If it is spurious, we used it to refine A and then repeat the entire process. 
Unlike learning-based assumption generation, AGAR does not constrain assumptions 
to be deterministic. Therefore the assumptions constructed with AGAR can be (po- 
tentially) exponentially smaller than those obtained with learning, resulting in smaller 
verification problems. 

To reduce the assumption sizes even further, we also combine the abstraction re- 
finement with an orthogonal technique, interface alphabet refinement , which extends 
AGAR so that it starts the construction of A with a small subset of the interface alphabet 
and adds actions to the alphabet as necessary until the required property is shown to hold 
or to be violated in the system. Actions to be added are discovered also by counterex- 
ample analysis. We introduced alphabet refinement in [11] for learning-based assume- 
guarantee reasoning; we adapt it here for AGAR 3 . We have implemented AGAR with 
alphabet refinement in the explicit state model checker LTSA [14] and performed a se- 
ries of experiments that demonstrate that it can achieve better performance than L* for 
Rule 1 above. 

Related work. AGAR is a variant of the well-known CEGAR (Counter Example- 
Guided Abstraction Refinement) [7] with the notable differences that the computed 
abstractions keep information only about the interface behavior of M 2 that concerns 
the interaction with Mi while it abstracts away its internal behavior, and that the coun- 
terexamples used for the refinement of Mf s abstractions are obtained in an assume- 
guarantee style by model checking the other component. Mi . 

CEGAR has been used before in compositional reasoning in [5]). In that work, a 
conservative abstraction of every component is constructed and then all the resulting 
abstractions are composed and checked. If the check passes, the verification concludes 

3 Note that [6] introduced a related alphabet minimization technique for L* as well. 
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Fig. 1. (a) Example LTSs; (b) Order property. 


successfully, otherwise the resulting abstract counterexample is analyzed on every ab- 
straction that is refined if needed. The work does not use assume-guarantee reasoning, 
it does not address the reduction of the interface alphabets and it has not been compared 
with learning-based techniques. 

A comparison of learning and CEGAR-based techniques has been performed in [3] 
but for a different problem: the ’’interface synthesis” for a single component whose 
environment is unknown. In our context, this would mean generating an assumption 
that passes Premise 7, in the absence of a second component against which to check 
Premise 2. The interface being synthesized by the CEGAR-based algorithm in [3] is 
built as an abstraction of M\. The work does not apply reduction to interface alphabets, 
nor does it address the verification of the generated interfaces against other components, 
i.e., completing the assume-guarantee reasoning. 

2 Preliminaries 

Labeled Transition Systems (LTSs). We model components as finite-state labeled 
transition systems (LTSs), as considered by LTSA. Let U be the universal set of ob- 
servable actions and let r denote a special action that is unobservable. 

An LTS M is a tuple ( Q , E, S, go), where: Q is a finite non-empty set of states; 
E C U is the alphabet of M; 5 C Q x (17 U {r}) x Q is a transition relation, and q 0 is 
the initial state. We write (q, a, q') £ S as q —> q' . An LTS M is non-deterministic if it 
contains r-transitions or if 3(g, a , q'), (q, a, q") £ S such that q' ^ q" . Otherwise, M is 
deterministic, n denotes an error state with no outgoing transitions, and 77 denotes the 
LTS ( { 7 t } , U, 0, 7 r). Let M = ( Q , E, <5, go) and M' = (Q' , E' , S' , q' 0 ); M transits into 
M' with action a, denoted M A M' , if (g 0 , a, q' 0 ) £ S and either Q = Q' , E = E', 
and S = S' for q' 0 ^ tt, or, in the special case where q' 0 = t r, M' = 77. 

Parallel Composition. Parallel composition “||” is a commutative and associative op- 
erator such that: given LTSs M\ = (Qi, E\, 5 1 , q^} and 717 2 = (Q 2 , E 2 , S 2 , qfi). 
Mi || M 2 is 77 if either one of Mi, M 2 is 77. Otherwise, Mi || M 2 is an LTS 
M = (Q, E, S, g 0 ) where Q = Q 1 x Q 2 ,g 0 = (go,go),L = E\ U E 2 , and S is 
defined as follows (the symmetric version also applies): M 1 || M 2 A M[ || M 2 if 
Mi A M [ , a <£ E 2 , and Mi || M 2 A M[ || M’ 2 if Mi A M[,M 2 A M^, a ± r. 

As an example [10], consider a simple communication channel that consists of two 
components whose LTSs are shown in Fig. 1(a). 
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Paths and traces. A path in an LTSs M = ( Q , E, S, go) is a sequence p of alternating 
states and (observable or unobservable actions) of M , p = q io ,ao, q^,a 1 , . . . , a n -\- q, n 
such that for every k £ {0, . . . , n — 1} we have (q lh: , a*, qi k+1 ) £ S. 

The trace of path p, denoted o(p) is the sequence bo, i>i, . . . , bi of actions along 
p, obtained by removing all t from a o, • • • , a n -\. A state q reaches a state q' in M 
with a sequence of actions t, denoted q => q' , if there exists a path p from q to q' in 
M whose trace is t, i.e., a(p) = t. A trace of M is the trace of a path in M starting 
from go- The set of all traces of M forms the language of M, denoted C(M). For any 
trace t = a,o,ai, ... , a„_i, a trace LTS can be constructed whose only transitions are 
go gi g 2 • • • — 5,1 qn- We sometimes abuse the notation and denote by t both a 
trace and its trace LTS. The meaning should be clear from the context. For E' C E, 
t[s' is the trace obtained by removing from t all actions a ^ E. Similarly, M is an 
LTS over E obtained from M by renaming to r all the action labels not in E. Let t \ , f 2 
be two traces. Let E\, E 2 be the sets of actions occurring in t\, f 2 , respectively. By the 
symmetric difference of t\ and f 2 we mean the symmetric difference of sets E\ and E^. 
Safety properties. A safety LTS is a deterministic LTS not containing 7 r. A safety prop- 
erty P is a safety LTS whose language C(P) defines the acceptable behaviors over Ep. 

An LTS M = ( Q , E , S , go) satisfies P = (Qp, Ep, 6p, g^), denoted M [= P, iff 
Vt £ C(M) ■ t[s p £ C(P). For checking a property P, its safety LTS is completed 
by adding error state 7r and transitions on all the missing outgoing actions from all 
states into 7r so that the resulting transition relation is (left-)total (when seen as in i(f x 
(E U {t})) x Q ) and deterministic; the resulting LTS is denoted by P err . LTSA checks 
M \= P by computing M || P err and checking if 7r is reachable in the resulting LTS. 

For example, the Order property in Fig. 1(b) states that inputs and outputs come in 
matched pairs, with the input always preceding the output. The dashed arrows represent 
transitions to the error state that were added to obtain Order err . 

Assume-guarantee triples. An assume-guarantee triple ( A)M(P ) is true if whenever 
component M is part of a system satisfying assumption A, the system must also guar- 
antee property P. In LTSA, this reduces to checking whether A\\ M \= P. 

Learning assumptions with L*. Previous work [10] uses the L* algorithm [2] to it- 
eratively learn the assumption A for Rule 1, as a deterministic finite state automaton. 
L* needs to interact with a teacher that answers queries and validates conjectures. For 
membership queries on string s, the teacher uses LTSA to check (s) M\ (P); if true, 
then s £ C ( A ) and the Teacher returns “true”. Otherwise, the answer to the query 
is “false”. The conjectures returned by L* are intermediate assumptions; the teacher 
implements two oracles to validate these conjectures: Oracle 1 guides L* towards a 
conjecture that makes (A) M\ (P) true and then Oracle 2 is invoked to discharge A 
on M 2 . If this is also true, then the assume guarantee rule ensures that P holds on 
Mi || M 2 ; the teacher returns “true” and the computed assumption A. If model check- 
ing returns “false”, the returned counterexample is analyzed to determine if P is indeed 
violated in Mi || M 2 or if A is imprecise due to learning, in which case A is modified 
and the process repeats. If A has n states, L* makes at most n—1 incorrect conjectures. 
The number of membership queries made by L* is 0(kn 2 + ttlogm), where k is the 
size of A’s alphabet and m is the length of the longest counterexample returned when a 
conjecture is made. 
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Interface alphabet. When reasoning in an assume-guarantee style, there is a natural 
notion of the complete interface between A/| and M 2 , when property P is checked. 
Let Mi = (Qi, Ei, 6 1 , Qq) and M 2 = (Q 2 , £ 2 , 5 2 , q^) be LTSs modeling two compo- 
nents and let P = (Qp, Ep, S p , q p ) be a safety property. The interface alphabet Ej is 
defined as Ej = (Ei U Ep) D E 2 . 

3 Motivating Example 

We motivate our approach using the input-output example from Section 2. We show 
that even on this simple example AGAR leads to smaller assumptions in fewer iter- 
ations than the learning approach, and therefore it potentially leads faster to smaller 
verification problems. 

Let Mi = Input, M 2 = Output, and P = Order. As mentioned, we aim to automati- 
cally compute an assumption according to Rule 1. Instead of “guessing” an assumption 
and then checking both premises of the rule, as in the learning approaches, we build 
an abstraction that satisfies Premise 2 by construction. Therefore, all that needs to be 
checked is Premise 1. 

The initial abstraction A of Output is illustrated in Figure 2(a). Its alphabet consists 
of the interface between Input and the Order property on one side, and Output on the 
other, i.e., the alphabet of A is Ej = {(Ej nput U Eorder) H E output ■ The LTS A is con- 
structed simply by mapping all concrete states in Output to the same abstract state 0 
which has a self-loop on every action in Ei and no other transitions. By construction, 
A is an overapproximation of M 2 , i.e., CIM-Ae,) f jC(A), and therefore Premise 2 
(true) M 2 (A) holds. Checking Premise 1 of the assume-guarantee rule using A as the 
assumption fails, with abstract counterexample: 0, output , 0. We simulate this coun- 
terexample on M 2 and find that it is spurious (i.e., it does not correspond to a trace in 
M 2 ), therefore A needs to be refined so that the refined abstraction no longer contains 
this trace. We split abstract state 0 into two new abstract states: abstract state 0, repre- 
senting concrete states 0 and 2 that do not have an outgoing output action, and abstract 
state 1, representing concrete state 1 that has an outgoing output action, and adjust the 
transitions accordingly. The refined abstraction A' , shown in Figure 2(a), is checked 
again for Premise 1 and this time it passes, therefore AGAR terminates and reports that 
the property holds. 

The sequence of assumptions learned with L* is shown in Figure 2(b). The assump- 
tion computed by AGAR thus has two states fewer than that obtained from learning and 
is computed in two fewer iterations. 

4 Assume-Guarantee Abstraction Refinement (AGAR) 

The abstraction refinement presented here is an adaptation of the CEGAR framework 
of [7], with the following notable differences: 1) abstraction refinement is performed 
in the context of LTSs; abstract transitions for LTSs are computed using closure with 
respect to actions that are not in their interface alphabet, and 2) counterexample analy- 
sis is performed in an assume-guarantee style: a counterexample obtained from model 
checking one component is used to refine abstractions of a different component. 
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(a) (b) 

Fig. 2. Assumptions computed (a) with our algorithm and (b) with L*. 

In this section, we start by describing, independently of the assume-guarantee rule, 
abstraction refinement as applied to LTSs. We then describe how we use this abstrac- 
tion refinement in an iterative algorithm (AGAR) that computes assumptions for Rule 1. 
Later on, we combine AGAR with an orthogonal algorithm that performs iterative re- 
finement of the interface alphabet between the analyzed components. 

4.1 Abstraction refinement for LTSs 

Abstraction. Let C = {Qc, A’e ■ ( '> C ■ qf) be an LTS that we refer to as concrete. Let al- 
phabet Sa be such that Ea C £q • An abstraction A of C is an LTS (Qa, Ea, S a , q A ) 
such that there exists a surjection a : Qc — > Qa , called the abstraction function, that 
maps each concrete state q c £ Qc to an abstract state q A £ Qa ; qf must be such that 
a(qf) = qf. The concretization function 7 : Qa is defined for any q A £ Qa 

as 7 (q A ) = {q c £ Qc | a(q c ) = q 1 - 4 }. Note that 7 induces a partition on Qc, namely 

{ 7 (q A ) I q A e Qa}- 

To define the abstract transition relation S A , we first introduce the notion of reach- 
ability with respect to a subset alphabet. For q c £ C, a £ £c, we define the set 
Reachable c {q G , a, Sa) of concrete states qf reachable from q c on action a, under the 
transitive closure of S c over actions in (£c \ £ A ) U {r}: 

Reachable c (q C , a, £ A ) = (<zf € C\3t,t' £ ((i7c\^’A)U{r})*-g c ' 4 qf or q c *4 qf}. 

We define the abstraction to be existential, but using Reachablec instead of the 
usual transition relation of C [7]: 3 ( qf , a,q A ) £ 5 A iff 

3 qf, qf £ C ■ a(qf) = qf, a(qf) = qf, and qf £ Reachable c (qf , a, £ A ) (2) 

From the above definition and that of weak simulation [16], it follows that the abstrac- 
tion defines a weak simulation relation between C }s A and A. It is known that weak 
simulation implies trace inclusion [16]. We therefore have the following: 
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Algorithm 1 CEGAR for LTSs with respect to subset alphabets 

Inputs: Concrete LTS C, its abstraction A , and an abstract counterexample p = 
qo,ai,qi,a 2 , ...,a„,q„ in A. 

Outputs: a concrete counterexample t, if p is not spurious, or a refined abstraction A' without 
path p, if p is spurious. 

1 : *<— 0 
2 : So <- {q$} 

3: while Si^(fr/\i<n — ldo 
4: i <— i + 1 

5 : Si < — "/(qf) I~1 Reachable c {Si-i, a,, S A ) 

6: end while 
7 : if Si = 0 then 

8: split qf_ x into two new abstract states xf_i,z£_\ s.t. y{xf_i) = 7 {qt-\) D {q c \ 

Reachable c {q C , at, S A ) n qf A 0 }, 7(^1) = -y(qf-i) \ l{xf_A) 

9 : build new abstraction A' with Q A / = Q A \ {qf_ 1} U {xf_ 1} zf_ 1} 

10: change only incoming and outgoing transitions for qf_\ in A to/from {xf_i,zfi_fi} in 

refined abstraction A ' , according to Definition 2 
1 1 : return A' 

12: else 

13: return concrete trace t <— <r(p) 

14: end if 


Proposition 1. Given concrete LTS C and and its abstraction A defined as above, 
C{C[s A ) C C{A), and consequently {true) C {A) hold. 

The CEGAR algorithm for LTSs is defined by Algorithm 1. It takes as inputs a 
concrete system C, an abstraction A (as defined above), and an abstract counterexample 
path p (in A). The algorithm analyzes the counterexample (lines 1-6) to see if it is real, 
in which case it is returned (line 13) or spurious, in which case it is used to refine the 
abstraction (lines 7-1 1). The refined abstraction A' is such that it no longer contains p. 
We discuss Algorithm 1 in more detail below. 

Analysis of abstract counterexamples. Suppose we have obtained an abstract coun- 
terexample in the form of a path p = ^q-, 01 , gj 4 , 02 , . . . , a n , in the abstraction A of 
C. We want to determine if it corresponds to a concrete path in C. For this we need to 
“play” (i.e. symbolically simulate) p in C from the initial state . We do so considering 
that S A C Ec and thus we use Reachablec again. 

We first extend Reachablec to sets: for S C Qc, Reachablec{S , a, E A ) = {qf € 
C | 3qf £ S.q 1 ^ £ Reachable{qf , a, E A )}- We play the abstract counterexample p 
following [7]. We start at step 0 with the set So = { ( lo} of concrete states, and the first 
transition q q — ) q ^ fromp. Note that So = {7o'}n7(<7o 1 ). At each step i £ {1, . . . , n}, 
we compute the set Si = 7 (qf) D Reachablec{Si-i,a,i , E A ). If, for some i < n. Si is 
empty, the abstract counterexample is spurious and we need to refine the abstraction to 
eliminate it. Otherwise, the counterexample corresponds to a concrete path. 

Abstraction refinement. The abstraction refinement is performed in lines 8-10 of Al- 
gorithm 1 : p is spurious because abstract state q^_ 1 does not distinguish between two 
disjoint, non-empty sets of concrete states [7]: (i) those that reach, with action a,;, states 
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in the concretization of qf (these are the states defined as y{xf_i) in line 8) and (ii) 
those reached so far from q q with the prefix 01, 02, . . . , a*_ 1, i.e., the states in 1. 

To eliminate the spurious abstract path, we need to refine A by splitting its state 
qf_ 1 into (at least) two new abstract states that separate the (concrete) states of types 
(i) and (ii) (line 9). We split qf_ 1 into xf_ x where 7(2^1) contains the set of states in 
(i) and z^_ 1 where 7 (z/Ti) contains the set of states in (ii) and any remaining states 
in 7(<7) 4 _ 1 ). Note that this results in a finer partition of the concrete states. After the 
splitting, we update the abstract transitions in line 10. The refined abstraction A' has 
the same transitions as A except for those incoming or outgoing for the split state q£_ , : 
they are readjusted to point to or from the states xf_ , zf_ x according to condition 2. 
We therefore can conclude that: 

Lemma 1. If a counterexample p input to Algorithm 1 is spurious, the returned ab- 
straction A' results in a strictly finer partition than A and does not contain p. 

4.2 The AGAR Algorithm 

The pseudocode that combines Algorithm 1 with Rule 1 is given in Algorithm 2. Recall 
that 27/ denotes the alphabet U 27 p) fl 27 m 2 °f the interface between M\ and 
M 2 , with respect to P. The algorithm checks that Mi || M2 satisfies P using Rule 1. 
It builds abstractions A of M 2 in an iterative fashion (while loop at lines 2-15); these 
abstractions are used to check Premise 1 of the assume guarantee rule using model 
checking (lines 3-5). If the check is successful, then, according to the rule (and since 
A satisfies Premise 2 by construction), P indeed holds in Mi || M> and the algorithm 
returns ’’true”. Otherwise, a counterexample p is obtained from model checking Premise 
1 (line 7) and Algorithm 1 is invoked to check if p corresponds to a real path in M2 (in 
which case it means p is a real error in Mi || M2 and this is reported to the user in line 
11). If p is spurious. Algorithm 1 returns a refined abstraction A' for which we repeat 
the whole process starting from checking Premise 1. 

Obtaining an abstract counterexample. As mentioned, we use counterexamples from 
failed checks of Premise 1 (that involves checking component Mi) to refine abstractions 
of M2. Obtaining an abstract counterexample involves several steps (lines 7-9). First, 
a counterexample from line 4 is a path o = <?o, bi, qi, 62 , . . . , bi, qi in A || Mi || P err . 
Thus, for every i £ {0, (}, qi is a triple of states (qf, q},Pi) from A x Mi x P err . We 
first project every triple on A to obtain the sequence o' = q^, 61, qf, 62, q£i ■ ■ • 1 biqf\ 
o' is not yet a path in A as it may contain actions from Mi and P err that are not observ- 
able to A; those actions have to be between the same consecutive abstract states in the 
sequence, since they do not change the state of A; we eliminate from o' those actions 
and the duplicate abstract states that they connect, and finally obtain p that we pass to 
Algorithm 1. 

Theorem 1. Our algorithm (AGAR) computes a sequence of increasingly refined ab- 
stractions of M 2 until both premises of Rule 1 are satisfied, and we conclude that the 
property is satisfied by Mi || M 2 , or a real counterexample is found that shows the 
violation of the property on Mi || M2. 

Proof Correctness The algorithm terminates when Premise 1 is satisfied by the current 
abstraction or when a real counterexample is returned by Algorithm 1 . In the former 



Algorithm 2 AGAR: assume-guarantee verification by abstraction-refinement 
Inputs: Component LTSs Mi, M 2 , safety property LTS P, and alphabet Pa = Pi. 

Outputs: true if Mi || M2 satisfies P, false with a counterexample, otherwise. 

Uses: Algorithm 1 

1: Compute initial abstraction A of M 2 , with a single state q g having self-loops on all actions 
in Pa 

2: while true do 

3: Check Premise 1: ( A ) Mi { P ) 

4: if successful then 

5: return true 

6: else 

7: Get counterexample o = qo, 61, qi, 62, . . • , bi, qi from line 3, where each qi = 

8 : Project o on A to get o' = qo, 61, qt, b 2 , 92 , . . . b t , qf 

9: Project o' on Pa to get abstract counterexample p = q(f, ai, qt, ■ ■ ■ , a n , in A. 

10: end if 

11: Call Algorithm 1 with inputs: M2, A,p 

12: if Algorithm 1 returned real counterexample t then 

13: return false with counterexample t. 

14: else 

15: A = A' 

16: end if 

17: end while 


case, since the abstraction satisfies Premise 2 by construction (Proposition 1), Rule 1 
ensures that Mi || M 2 indeed satisfies P, so AGAR correctly returns answer ’’true”. 
In the latter case, the counterexample returned by Algorithm 1 is a common trace of 
Mi and of M 2 that leads to error in P err . This shows that property P is violated on 
Mi || M 2 and in this case again AGAR correctly returns answer ’’false”. 

Termination AGAR continues to refine the abstraction until a real counterexample is 
reported or the property holds. Refining the abstraction always results in a finer partition 
of its states (Lemma 1), and is thus guaranteed to terminate since in the worst case it 
converges to M 2 which is finite-state. □ 

If M 2 has n states, AGAR makes at most n refinement iterations, and in each it- 
eration, counterexample analysis performs at most m closure operations, each of cost 
0(n 3 ), where m is the length of the longest counterexample analyzed. This bound is not 
very tight as the closure steps are done on-the-fly to seldom exhibit worst-case behavior, 
and actually involve only parts of M 2 ’s transition relation as needed. 

4.3 AGAR with interface alphabet refinement 

In [11] we introduced an alphabet refinement technique to reduce the alphabet of the 
assumptions learned with L*. This technique improved significantly the performance 
of compositional verification. We show here how alphabet refinement can be similarly 
introduced in AGAR. Instead of the full interface alphabet Pi, we start AGAR from a 
small subset Pa C Pj. A good strategy is to start from those actions in Pi that appear 
in the property to be verified, since the verification should depend on them. We then 
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Algorithm 3 AGAR with alphabet refinement 

Inputs: Component LTSs Mi, M 2 , safety property LTS P, and alphabet Pa C Pj. 

Outputs: true if Mi || M 2 satisfies P, false with a counterexample, otherwise. 

Uses: Algorithm 2 

1 : while true do 

2: Call Algorithm 2 with Mi, M 2 , P , PA- 
S'. if Algorithm 2 returned true then 

4: return true 

5: else 

6: Obtain counterexample t = ay,...,a n from Algorithm 2 and trace s = cr(o') from 

line 8 of Algorithm 2. 

7: Check if error reachable in || M 2 where s err l£ : is the trace-LTS ending with an 

extra transition into error state 7r 
8: if error reached then 

9: return false with counterexample sj.^ 

10: else 

11: Compare t. to to find difference action set P 

12: Pa < — Pa U P 

13: end if 

14: end if 

15: end while 


run Algorithm 2 with this small Pa- Alphabet refinement introduces an extra layer of 
approximation, due to the smaller alphabet being used. 

The pseudocode is in Algorithm 3. This algorithm adds an outer loop to AGAR 
(lines 1-15). At each iteration, it invokes AGAR (line 2) for the current alphabet Pa- 
If AGAR returns ’’true”, it means that alphabet Pa is enough for proving the property 
(and ’’true” is returned to the user). Otherwise, the returned counterexample needs to be 
further analyzed (lines 5-13) to see if it corresponds to a real error (which is returned to 
the user in line 9) or it is spurious due to the approximation introduced by the smaller 
interface alphabet, in which case it is used to refine this alphabet (lines 1 1-12). 

Additional counterexample analysis As explained in [11], when Pa C Pj, the coun- 
terexamples obtained by applying Rule 1 may be spurious, in which case Pa needs to 
be extended. Intuitively, a counterexample is real if it is still a counterexample when 
considered with Pj. For counterexample analysis, we modify Algorithm 2 to also out- 
put the trace s = a (o') of actions along the intermediate path o' obtained at its line 8. 
Since p is a path obtained from o' by eliminating transitions labeled with actions from 
Pi \ Pa (See Section 4.2) and t = cr(p), it follows that s is an “extension” of t to Pj. 

We check whether slzj is a trace of M 2 by making it into a trace LTS ending with 
the error state 7 r, and whose alphabet is Pi (line 7). Since M 2 does not contain 7 r, the 
only way to reach error is if .s| 5 ;, is a trace of M 2 ', if we reach error, the counterexample 
t is real. If slu, is not a trace of M 2 , since / is, we need to refine the current alphabet 
Pa- At this point we have two traces, s]..^ and t that agree with respect to Pa and 
only differ on the actions from Pi \ Pa', since one trace is in A/ 2 and the other is not, 
we are guaranteed to find in their symmetric difference at least an action that we can 
add to Pa to eliminate the spurious counterexample t. We include the new action(s) 
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Table 1 . Comparison of AGAR and learning for 2 components, with and without alphabet refinement. 


Case 

k 

No a 

AGAR 

lpha. ref. 

Learning 

With al 
AGAR 

pha. ref. 

Learning 

Sizes 



pr 

Mem. 

Time 


Mem. 

Time 

PT 

Mem. 

Time 

PT 

Mem. 

Time 

1 M X || P„ r | 

|m 2 | 

Gas Station 

T 

16 

4.11 

3.33 

177 

42.83 

- 

5 

2.99 

2.09 

8 

3.28 

3.40 

I960 

643 


4 

19 

37.43 

23.12 

195 

100.17 

- 

5 

22.79 

12.80 

8 

25.21 

19.46 

16464 

1623 


5 

22 

359.53 

278.63 

45 

206.61 

- 

5 

216.07 

83.34 

8 

207.29 

188.98 

134456 

3447 

Chiron, 

2 " 

10 

1.30 

0.92 

9 

1.30 

1.69 

10 

1.30 

1.56 

8 

1.22 

5.17 

237 

102 

Property 2 

3 

36 

2.59 

5.94 

21 

5.59 

7.08 

36 

2.44 

10.23 

20 

6.00 

30.75 

449 

1122 


4 

160 

8.71 

152.34 

39 

27.1 

32.05 

160 

8.22 

252.06 

38 

41.50 

180.82 

804 

5559 


5 

4 

55.14 

- 

111 

569.23 

676.02 

3 

58.71 

- 

110 

- 

386.6 

2030 

129228 

Chiron, 

~T 

4 

1.07 

0.50 

9 

1.14 

1.57 

4 

1.23 

0.62 

3 

1.06 

0.91 

258 

102 

Property 3 

3 

8 

1.84 

1.60 

25 n jmj 

4.45 

7.72 

8 

2.00 

3.65 

3 

2.28 

1.12 

482 

1122 


4 

16 

4.01 

18.75 

45 

25.49 

36.33 

16 

5.08 

107.50 

3 

7.30 

1.95 

846 

5559 


5 

4 

52.53 

- 

122 

134.21 

271.30 

1 

81.89 

- 

3 

163.45 

19.43 

2084 

129228 

MER 

T 

34 

1.42 

11.38 

40 

6.75 

9.89 

5 

1.42 

5.02 

6 

1.89 

1.28 

143 

1270 


3 

67 

8.10 

247.73 

335 

133.34 

- 

9 

11.09 

180.13 

8 

8.78 

12.56 

6683 

7138 


4 

58 

341.49 

- 

38 

377.21 

- 

9 

532.49 

- 

10 

489.51 

1220.62 

307623 

22886 

Rover Exec. 

T 

10 

4.07 

1.80 

11 

2.70 

2.35 

3 

2.62 

2.07 

4 

2.46 

3.30 

544 

41 


and then repeat AGAR with the new alphabet. Termination follows from the fact that 
the interface alphabet is finite. 


5 Evaluation 

We implemented AGAR with alphabet refinement for Rule 1 in the LTSA tool. We 
compared AGAR with learning based assume guarantee reasoning, using a similar ex- 
perimental setup as in [11]. The case studies are: Gas Station (with 3 ... 5 customers), 
Chiron - a model of a GUI (with 2 ... 5 event handlers), and two NASA models: MER 
resource arbiter (with 2 ... 4 threads competing for a common resource) and Rover, 
with an executive and an event monitoring component. We first used the same two- 
way decompositions of these models as described in [11]. For Gas Station and Chiron, 
these decompositions were demonstrated to be the best for the performance of learning 
(without alphabet refinement) among all possible two-way decompositions [9]. 

All experiments were performed on a Dell PC with a 2.8 GHz Intel Pentium 4 CPU 
and a 1.0 GB RAM running Linux Fedora Core 4 and Sun’s Java SDK version 1.5. 
We report the maximum assumption size (i.e., number of states) reached (”|.4|”), the 
memory consumed f’Mem.”) in MB, the time (’’Time”) in seconds, and the numbers of 
states on each side of the two-way decomposition: ”|Mi || P err |” and ”|M 2 |”. A 
indicates that the limit of 1G of memory or 30 minutes has been exceeded. For those 
cases, the other quantities are shown as they were when the limit was reached. We also 
highlight in bold font the best results. 

The results for the first set of experiments are shown in Table 1. Overall, AGAR 
shows similar or better results than learning in more than half of the cases. From the 
results, we noticed that the relative sizes of Mi || P err and M 2 seem to influence the 
performance of the two algorithms; e.g., for Gas Station, where M 2 is consistently 
smaller, AGAR is consistently better, while for Chiron, as the size of M 2 becomes much 
larger, the performance of AGAR seems to degrade. Furthermore, we observed that the 
learning runs exercise more the first component, whereas AGAR exercises both. We 
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Table 2. Comparison of AGAR and learning for balanced decompositions. 


Case 

k 

No alp! 

AGAR 

ha. ref. 

Learning 

With al 
AGAR 

pha. ref. 

Learning 

Sizes 



w 

Mem. 

Time 

w 

Mem. 

Time 

w 

Mem. 

Time 

w 

Mem. 

Time 

1 Mi || P | 

|M 2 | 

Gas Station 

T 

10 

3.35 

3.36 

294 

367.13 

- 

5 

2.16 

3.06 

59 

11.14 

81.19 

1692 

1942 


4 

269 

174.03 

- 

433 

188.94 

- 

10 

15.57 

191.96 

5 

9.25 

4.73 

4608 

6324 


5 

7 

47.91 

184.64 

113 

82.59 

- 

2 

47.48 

- 

15 

52.41 

71.29 

31411 

32768 

Chiron, 

2" 

41 

2.45 

5.46 

140 

118.59 

395.56 

9 

1.91 

3.89 

17 

2.73 

13.09 

906 

924 

Property 2 

3 

261 

81.24 

710.1 

391 

134.57 

- 

79 

39.94 

663.53 

217 

36.12 

- 

6104 

6026 


4 

54 

7.11 

37.91 

354 

383.93 

- 

45 

9.55 

121.66 

586 

213.78 

- 

1308 

1513 


5 

402 

73.74 

- 

112 

90.22 

- 

33 

19.66 

157.35 

46 

30.05 

686.37 

11157 

11748 

Chiron, 

~2 

2 

0.98 

0.37 

40 

5.21 

8.30 

2 

1.02 

0.49 

3 

1.04 

0.91 

168 

176 

Property 3 

3 

88 

15.45 

102.93 

184 

284.83 

- 

46 

41.40 

115.77 

3 

5.97 

2.26 

4240 

4186 


4 

2 

5.60 

2.65 

408 

222.54 

- 

2 

6.14 

11.90 

20 

9.33 

7.44 

4156 

4142 


5 

79 

44.16 

405.03 

179 

104.25 

- 

42 

42.04 

430.47 

3 

21.94 

7.00 

16431 

16840 

MER 

~4 

9 

27.62 

- 

311 

104.72 

- 

2 

27.60 

- 

10 

65.42 

35.78 

10045 

66230 


therefore considered a second set of experiments were we tried to compare the relative 
performance of the two approaches for two-way system decompositions that are more 
balanced in terms of number of states. 

We generated off-line all the possible two-way decompositions and chose those 
minimizing the difference in number of states between A/| || P err and M 2 . The rest of 
the setup remained the same. The results for these new decompositions are in Table 2 
(for MER, in only one case we found a more balanced partition than previously). These 
results show that with these new decompositions AGAR is consistently better in terms 
of time (14/21 cases), memory (16/21 cases) and assumption size (16/21 cases) 4 . The 
results also indicate that the benefits of alphabet refinement are more pronounced for 
learning. The results are somewhat non-uniform as k increases because for each larger 
value of k we re-computed balanced decompositions independently of those for smaller 
values. This is why we even found smaller components for larger parameter, as for 
Chiron, Property 2, k = 3 vs. k = 4. 


6 Conclusions and Future Work 


We have introduced an assume-guarantee abstraction-refinement technique (AGAR) as 
an alternative to learning-based approaches. Our preliminary results clearly indicate 
that the alternative is feasible. We are currently extending AGAR with the following 
rule (for reasoning about n components). 


( Premise 1) (Ai) Mi ( P ) 

(Premise 2) (A 2 ) M 2 (A\) 

(Premise n) (true) M n (A n - 1 } 

(true) Mi || M 2 || • • • || M n (P) 


(3) 


In previous work [11], learning with this rule overcame the intermediate state ex- 
plosion related to two-way decompositions (i.e., when components are larger than the 

4 We did not count the cases when both algorithms ran out of limits. 
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entire system). That helped us demonstrate better scalability of compositional vs. non- 
compositional verification which we believe to be the ultimate test of any compositional 
technique. We expect to similarly achieve better scalability for AGAR. 

The implementation of AGAR for Rule 3 involves the creation of n 1 instances 
AR, of our abstraction-refinement code for computing each A,; as an abstraction of 
Mi+i | |_i, except for A„_i which abstracts M n . Counterexamples obtained from 

(Premise 1 ) are used to refine the intermediate abstractions Ai, . . . , A„_ | . When A,; is 
refined, all the abstractions Ai, , A,_ t are refined as well to eliminate the spurious 
trace. In the future, we also plan to explore extensions of AGAR to liveness properties. 
Acknowledgements. We thank Moshe Vardi and Orna Grumberg for helpful sugges- 
tions and the CAV reviewers for their comments. 
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